Privacy & Data Residency

We protect personal information with Canadian residency by default.

This policy explains what we collect, why we collect it, where it is stored, and how you can exercise your rights.

Last updated: May 9, 2026

Scope
Public website and Compliance Health platform (including Monitor and related services).
Residency
Customer Data hosted in Canada; no default cross-border replication for platform data.
Security
TLS 1.2+ in transit, encryption at rest, RBAC + MFA for privileged access.
Rights
Access, correction, deletion (where applicable), consent withdrawal, and regulator complaints.

At-a-glance summary

  • Who we are.Compliance Health Technologies Inc. (“Compliance Health”, “we”, “us”).
  • Scope.This policy covers our public websites and our Compliance Health platform (including “Monitor” and related services). Customer-specific processing terms are set out in our Terms and the Data Processing Addendum (DPA) available on request.
  • Residency. Customer Data is hosted in Canada by default. We do not enable cross-border replication for platform data by default. Some limited operational providers may process contact details or delivery metadata outside Canada to complete service communications.
  • Security. Encryption in transit (TLS 1.2+; TLS 1.3 preferred); core platform Customer Data stores encrypted at rest using AES-256 or AWS KMS-backed provider encryption controls; role-based access and multi-factor authentication for privileged access.
  • Your rights. You can access, correct, or delete your personal information; withdraw consent; and complain to applicable privacy regulators. For example, in Alberta this may include the Office of the Information and Privacy Commissioner.

Who we are & how to contact us

Compliance Health Technologies Inc. is a Canadian company. For privacy questions or requests, email privacy@compliancehealth.com.

What we collect

We collect only what is needed to deliver and improve our services, such as:

  • Account & organization data (name, email, organization/role).
  • Credentialing & compliance artifacts you or your organization upload (e.g., certifications, licenses/registrations, attestations, expiry dates, and related documents).
  • Service & security logs (e.g., authentication events, task activity, IP address, user agent) and minimal usage telemetry for reliability and improvement.
  • Program‑required evidence for education/placement contexts (e.g., immunization proof), where authorized by your institution or employer.

We do not collect marketing profiles from our public website. Any analytics we use are privacy‑preserving or aggregate and avoid tracking individuals. By default, we do not use Customer Data or personal information to train foundation models. Any exception would require explicit written customer instruction and approved contractual controls.

How we use personal information

  • Provide, operate, and secure the platform and related services.
  • Verify credentials, manage training/attestations, and generate audit‑ready evidence for authorized administrators.
  • Send service notifications (e.g., expiry reminders, security notices).
  • Improve reliability, safety, and user experience (aggregate or de‑identified analysis where possible).
  • Meet legal, regulatory, and contractual obligations.

Lawful basis & roles

We act as a service provider/processor for institutional and enterprise customers and process data only under their instructions. For our direct relationships (e.g., account signup), we rely on consent and/or our legitimate interests in providing secure, reliable services.

Public-sector customers

Where we process information on behalf of a public body (e.g., an Alberta post‑secondary), we act as a service provider under applicable access and privacy legislation and follow the customer's written directions and retention schedule.

Data residency & transfers

Primary hosting is in Canada. Backups and disaster‑recovery copies are also kept in Canada. We do not configure cross‑border replication for platform data by default. If a specific customer authorizes a cross‑border transfer for an integration, support, or other approved purpose, we apply encryption and contractual safeguards and document the approval.

Standard service notifications may be delivered via third‑party email services that process recipient contact details, delivery metadata, and limited message content outside Canada to complete delivery. We minimize Customer Data in notification content where practical, and customer-content notification paths can be configured through a customer-approved or Canada-resident route where required by contract.

Security measures

  • Encryption in transit and at rest using industry-standard protocols and algorithms.
  • Role‑based access control (RBAC) and multi‑factor authentication (MFA) for privileged access.
  • Environment separation; least-privilege service accounts; security-relevant application and administrative events logged and monitored.
  • Antivirus scanning for uploaded files before processing; file‑type validation.

Additional details are provided in our Security Overview.

Retention

We retain personal information only as long as necessary for the purposes above or as required by law or contract. Customer-specific retention schedules can be set by agreement or written instruction. Current examples include:

  • Audit logs: retained on configurable schedules consistent with legal and contractual requirements.
  • Temporary OCR artifacts: deleted within 24 hours once processing completes where technically applicable.
  • Credential artifacts & records: retained for the applicable customer contract term unless the institution instructs otherwise, or unless deletion is required for a superseded update, duplicate, corrupt or incomplete upload, abandoned upload, legal requirement, or approved lifecycle/termination instruction.
  • AI prompt/output logs, where enabled: governed by the customer-approved audit retention schedule and minimized or disabled where approved.

Your privacy rights

  • Request access to, or a copy of, your personal information.
  • Request correction or deletion (subject to legal/contractual limits).
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with an applicable privacy regulator. For example, in Alberta this may include the Office of the Information and Privacy Commissioner.

To exercise your rights, contact privacy@compliancehealth.com. We will respond within applicable timelines.

Cookies & analytics

Our marketing website uses minimal, privacy‑preserving analytics. The application uses essential cookies (e.g., for authentication/session). You can disable non‑essential cookies via your browser settings.

Children

Our services are intended for use by organizations (and their authorized users). We do not knowingly collect information from children without the authorization of the relevant institution/parent/guardian where required by law.

Service providers & subprocessors

We use vetted service providers to operate the platform. Primary hosting and processing of Customer Data occurs in Canada, including core cloud infrastructure and managed services. Certain service providers used for communications or support may process limited operational data outside Canada where required to provide their services. We will update this section as our providers change and will notify affected customers where contractually required.

Core subprocessors

  • Cloud Infrastructure: AWS Canada Central (ca-central-1)
  • Database Services: AWS RDS (PostgreSQL) hosted in ca-central-1
  • Object Storage: AWS S3 hosted in ca-central-1
  • Email Services: Postmark (general service email; may process delivery data outside Canada)

All subprocessors are contractually bound to implement appropriate security measures and protect Customer Data. Where cross‑border processing occurs (for example, for email delivery), we require contractual safeguards appropriate to the nature of the data.

Customer-specific deployments may include additional customer-approved subprocessors, such as Azure Canada, Microsoft Fabric, managed operations, or Canada-resident AI inference services, where included in the approved architecture and data processing terms.

Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. Material changes will be posted here with a revised “Last updated” date and, where required, we will provide advance notice to customers.

Contact

Privacy Officer
privacy@compliancehealth.com

Trust by design

Built for regulated care teams

Compliance Health is designed for high-trust environments: Canadian residency, accountable automation, and clear evidence trails.

Visit Trust Centre

Canada-hosted

Customer data stored and processed in Canada (AWS ca-central-1).

Human oversight

Human-in-the-loop review with auditable checkpoints for each decision.

Audit-ready evidence

Evidence trails and logs designed for inspections and internal governance.

ISO/IEC 42001 roadmap

AI management controls in place; certification roadmap in progress.